Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Dell Endpoint Security Suite Enterprise Advanced Installation Guide v3.8

PDF

Uninstall Encryption and Encryption on Server Operating System

  • To reduce decryption time, run the Windows Disk Cleanup Wizard to remove temporary files and other unneeded data.
  • Plan to decrypt overnight, if possible.
  • Turn off sleep mode to prevent an unattended computer from going to sleep. Decryption cannot occur on a sleeping computer.
  • Shut down all processes and applications to minimize decryption failures because of locked files.
  • Once the uninstall is complete and decryption is in progress, disable all network connectivity. Otherwise, new policies may be acquired that re-enable encryption.
  • Follow your existing process for decrypting data, such as issuing a policy update.
  • Encryption and Encryption External Media update the Dell Server to change the status to Unprotected at the beginning of a client uninstall process. However, in the event that the client cannot contact the Dell Server, regardless of the reason, the status cannot be updated. In this case, you will need to manually Remove Endpoint in the Management Console. If your organization uses this workflow for compliance purposes, Dell recommends that you verify that Unprotected has been set as expected, either in the Management Console or Managed Reports.

Process

  • Before beginning the uninstall process, see (Optional) Create an Encryption Removal Agent Log File. This log file is useful for troubleshooting an uninstall/decryption operation. If you do not intend to decrypt files during the uninstall process, you do not need to create an Encryption Removal Agent log file.
  • The Key Server (and Security Management Server) must be configured prior to uninstallation if using the Encryption Removal Agent's Download Keys from Server option. See Configure Key Server for Uninstallation of Encryption Client Activated Against Security Management Server for instructions. No prior action is needed if the client to uninstall is activated against a Security Management Server Virtual, as Security Management Server Virtual does not use the Key Server.
  • You must use the Dell Administrative Utility (CMGAd) prior launching the Encryption Removal Agent if using the Encryption Removal Agent's Import Keys from a file option. This utility is used to obtain the encryption key bundle. See Use the Administrative Download Utility (CMGAd) for instructions. The utility can be located in the Dell installation media.
  • Run WSScan to ensure that all data is decrypted after uninstallation is complete, but before restarting the computer. See Use WSScan for instructions.
  • Periodically Check Encryption Removal Agent Status. Data decryption is still in process if the Encryption Removal Agent service still exists in the services panel.

Command Line Uninstallation

  • Once extracted from the Endpoint Security Suite Enterprise master installer, the Encryption installer can be located at C:\extracted\Encryption\DDPE_XXbit_setup.exe.

  • The following table details the parameters available for the uninstallation.

    Parameter

    Selection

    CMG_DECRYPT

    Property for selecting the type of Encryption Removal Agent installation:

    3 - Use LSARecovery bundle

    2 - Use previously downloaded forensics key material

    1 - Download keys from the Dell Server

    0 - Do not install Encryption Removal Agent

    CMGSILENTMODE

    Property for silent uninstallation:

    1 - Silent - required when running with msiexec variables containing /q or /qn

    0 - Not Silent - only possible when msiexec variables containing /q are not present in the command line syntax

    Required Properties

    DA_KM_PATH

    The fully qualified path to the keybundle.

    DA_KM_PW

    The password set on the keybundle.

    DA_SERVER

    FQHN for the Security Management Server hosting the negotiate session.

    DA_PORT

    Port on the Security Management Server for request (default is 8050).

    SVCPN

    User name in UPN format that the Key Server service is logged on as on the Security Management Server.

    DA_RUNAS

    User name in SAM compatible format under whose context the key fetch request is made. This user must be in the Key Server list in the Security Management Server.

    DA_RUNASPWD

    Password for the runas user.

    FORENSIC_ADMIN

    The forensic administrator account on the Dell Server, which can be used for forensic requests for uninstalls or keys.

    FORENSIC_ADMIN_PWD

    The password for the forensic administrator account.

    Optional Properties

    SVCLOGONUN

    User name in UPN format for Encryption Removal Agent service log on as parameter.

    SVCLOGONPWD

    Password for log on as user.

  • The following example silently uninstalls Encryption and downloads the encryption keys from the Security Management Server.

    DDPE_XXbit_setup.exe /s /x /v"CMG_DECRYPT=1 CMGSILENTMODE=1 DA_SERVER=server.organization.com DA_PORT=8050 SVCPN=administrator@organization.com DA_RUNAS=domain\username DA_RUNASPWD=password /qn"

    MSI Command:

    msiexec.exe /s /x "Dell Data Protection Encryption.msi" /qn REBOOT="ReallySuppress" CMG_DECRYPT="1" CMGSILENTMODE="1" DA_SERVER="server.organization.com" DA_PORT="8050" SVCPN="administrator@domain.com" DA_RUNAS="domain\username" DA_RUNASPWD="password" /qn

    Reboot the computer when finished.

  • The following example silently uninstalls Encryption and downloads the encryptions keys using a forensic administrator account.

    DDPE_XXbit_setup.exe /s /x /v"CMG_DECRYPT=1 CMGSILENTMODE=1 FORENSIC_ADMIN=forensicadmin@organization.com FORENSIC_ADMIN_PWD=tempchangeit /qn"

    MSI Command:

    msiexec.exe /s /x "Dell Data Protection Encryption.msi" /qn CMG_DECRYPT=1 CMGSILENTMODE=1 FORENSIC_ADMIN=forensicadmin@organization.com FORENSIC_ADMIN_PWD=tempchangeit REBOOT=REALLYSUPPRESS

    Reboot the computer when finished.

  • The following example silently uninstalls Encryption using pre-downloaded keys located at C:\Users\administrator\Desktop\Admin\ using the forensic administrator password and writing logs to C:\SheildUninstall.

    DDPE_XXbit_setup.exe /s /x /v"CMG_DECRYPT=2 CMGSILENT=1 DA_KM_PATH=C:\Users\administrator\Desktop\Admin\<HOSTNAME>.bin DA_KM_PW=qwert12345 /l*v c:\ShieldUninstall.log /qn /norestart"

    MSI Command

    msiexec.exe /s /x "Dell Data Protection Encryption.msi" CMG_DECRYPT=2 CMGSILENT=1 DA_KM_PATH=C:\Users\administrator\Desktop\Admin\<HOSTNAME>.bin DA_KM_PW=qwert12345 /l*v c:\ShieldUninstall.log /qn /norestart

NOTE:

Dell recommends the following actions when using a forensic administrator password on the command line:

  1. Create a forensic administrator account in the Management Console for the purpose of performing the silent uninstallation.
  2. Use a temporary password for that account that is unique to that account and time period.
  3. After the silent uninstallation has been completed, remove the temporary account from the list of administrators or change its password.

Some older clients may require escape characters of \" around the values of parameters. For example:

DDPE_XXbit_setup.exe /x /v"CMG_DECRYPT=\"1\" CMGSILENTMODE=\"1\" DA_SERVER=\"server.organization.com\" DA_PORT=\"8050\" SVCPN=\"administrator@organization.com\" DA_RUNAS=\"domain\username\" DA_RUNASPWD=\"password\" /qn"

Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\